Give patients the opportunity to discuss the confidentiality and security of PHI, and make sure they know how to report concerns or discoveries of breaches.
In Guide to Privacy and Security of Electronic Health Information, HHS says you must accommodate reasonable requests by patients to receive communications from you by the means or at the locations they specify. For example, they may request that appointment reminders be left on their work voicemail rather than home phone voicemail. For those who prefer email communications, you may send unencrypted emails.
Page 5634 of the Privacy Rules states that clearly: “Covered entities are permitted to send an individual unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.”
The important thing: That patients are advised of risks, and that they consent based on personal preference.
Regarding patient consent, there is greater focus now on “meaningful” consent. HHS defines meaningful consent this way:
Consent should not be a “check-the-box” exercise. Meaningful consent occurs when the patient makes an informed decision and the choice is properly recorded and maintained. Specifically the meaningful consent decision has six aspects. The decision should be:
-
Made with full transparency and education
-
Made only after the patient has had sufficient time to review educational material;
-
Commensurate with circumstances for why health information is exchanged (i.e., the further the information-sharing strays from a reasonable patient expectation, the more time and education is required for the patient before he or she makes a decision);
-
Not used for discriminatory purposes or as a condition for receiving medical treatment;
-
Consistent with patient expectations; and
-
Revocable at any time
Finally, you should be aware of this provision on Page 5634 of the Privacy Rule:
“Covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.”
Tools and Resources for Step 8
See this report as a general reference on security of ePHI.
Guide to Privacy and Security of Electronic Health Information
Privacy Notices can help achieve meaningful consent, and the HHS offers Privacy Notification templates in English and Spanish.
For Healthcare Providers:
NPP Booklet for Healthcare Providers (English)
NPP Booklet for Healthcare Providers (Spanish)
NPP Layered for Healthcare Providers (English)
NPP Layered for Healthcare Providers (Spanish)
NPP Full-Page for Healthcare Providers (English)
NPP Full-Page for Healthcare Providers (Spanish)
NPP Text-Version for Healthcare (English)
NPP Text-Version for Healthcare (Spanish)
For Health Insurers:
NPP Booklet – Health Plan (English)
NPP Booklet – Health Plan (Spanish)
NPP Full-Page – Health Plan (English)
NPP Full-Page – Health Plan (Spanish)
NPP Layered – Health Plan (English)
NPP Layered – Health Plan (Spanish)
NPP Text-Version – Health Plan (English)
NPP Text-Version – Health Plan (Spanish)
A Health Care Professionals’ Privacy Guide updated to cover rules in effect since 2013.
These headings from the Privacy Guide indicate topics covered:
-
HIPAA does not require patients to sign consent forms before doctors, hospitals, or ambulances may share information for treatment purposes.
-
HIPAA does not require you to eliminate all incidental disclosures.
-
HIPAA is not anti-electronic.
-
HIPAA does not cut off all communication between healthcare professionals and the families and friends of patients.
-
HIPAA does not prevent calls or visits to hospitals by a patient’s family or friends, the clergy, or anyone else.
-
HIPAA does not prevent child abuse reporting. The Privacy Guide also discusses strengthened patient protections, and includes links to additional resources, including guidelines on communications with family and friends.
Health Care Professional’s Privacy Guide
This eConsent Toolkit includes samples of tools and educational materials that organizations can customize for patient education and meaningful consent.
The toolkit includes a tip sheet on meaningful consent, HHS says organizations can develop content through what it calls a Story Engine feature. It also contains an eConsent Story Engine download as well as the technical standards needed to download and house the tool, along wih a guide for installing and using the tool. To start, you can download an eConsent User Guide.
eConsent Toolkit Tipsheet eConsent Story Engine eConsent User Guide
Architectural Analysis and Technical Standards eConsent Installation Guide